> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Settings

> Patient portal security settings page for managing MFA enrollment, TOTP factors, and app-lock policy.

Patient portal security page at `/portal/security` where portal users manage their multi-factor authentication enrollment and app-lock preferences.

## Overview

The portal Security Settings page (rendered by `PortalMfaPage`) allows authenticated portal patients to enroll and manage TOTP-based MFA factors. It uses `usePortalMfaFactors` to list current factors, `usePortalMfaEnroll` to begin enrollment (returning a QR code and secret), `usePortalMfaVerify` to complete TOTP verification, and `usePortalMfaUnenroll` to remove a factor. The page is nested within `PortalLayout` which requires an active portal session.

## Who it's for

Access follows your organization's role and module configuration. Requires an active portal session.

## Before you start

* You must be signed in to the patient portal.
* A TOTP authenticator app (e.g., Google Authenticator, Authy) is required to complete MFA enrollment.

## Steps

1. Navigate to `/portal/security` (accessible from the portal navigation sidebar under **Security**).
2. Click **Enable MFA** (or equivalent) to begin TOTP enrollment.
3. Scan the QR code shown with your authenticator app, or enter the secret manually.
4. Enter the 6-digit code from your authenticator to verify and activate MFA.
5. To remove an existing MFA factor, select it and confirm unenrollment.

## Key concepts

**TOTP factor** — A time-based one-time password method. Enrollment creates a factor with status `verified` once confirmed.

**App-lock** — SME: confirm if the portal-side MFA page also surfaces app-lock preferences or if that is staff-only via `/settings/security`.

## Related

<Columns cols={2}>
  <Card title="Platform Foundation" icon="layer-group" href="/pf/overview">
    Platform Foundation overview.
  </Card>

  <Card title="Governance & parity" icon="scale-balanced" href="/governance/index" />
</Columns>

<Note>
  This page documents shipped product behavior. It is not medical, legal, or
  billing advice. Verify against your organization's policies and applicable
  regulations before using it for clinical, compliance, or billing decisions.
  Protected health information (PHI) shown in the product is governed by your
  tenant's access controls and is never exposed in this documentation.
</Note>

<Accordion title="Documentation sources">
  * src/routes/pm.tsx
  * src/cores/pm/pages/portal/PortalMfaPage.tsx
  * src/cores/pm/hooks/usePortalMfa.ts
</Accordion>
